Three risk experts, led by Alex Sidorenko, chief risk officer and founder of RISK-ACADEMY, and group head of risk, insurance and internal audit at Serra Verde Group explore how organisations can overcome the board-risk disconnect

The board-risk disconnect: a critical challenge

In boardrooms across the globe, a troubling disconnect persists.

SR_web_Alex Sidorenko

Board members review colourful risk matrices in agenda item #7—long after they’ve already approved budgets, investments, and major contracts. Meanwhile, risk managers struggle to communicate meaningful insights that actually influence these critical decisions.

This fundamental failure threatens organisational resilience and strategic success. The DCRO Institute and Risk Academy recently hosted a conversation between Board members and CROs to discuss this.

“Risk management is not just about minimising threats,” explains Yvonne Stillhart, who serves on multiple boards including UBS Asset Management.

“What I would like to understand is how much does a cyber attack cost me? What’s the day of outage? What is the effect on my business ability? Risk management is not what happened in the past quarter.”

This revelation points to a startling truth: most organisations operate with an outdated RM1 approach (compliance-focused risk management) when they desperately need RM2 (decision-centric risk management).

https://www.youtube.com/embed/Ex91XHl6WUM?si=dnpa6x_yYOvFPLa9

The decision-centric revolution

The most groundbreaking insight emerging from leading risk practitioners is disarmingly simple yet revolutionary: risk management must be integrated into every decision, not treated as a separate function.

“For me, it should really be on every agenda item that’s being discussed,” Stillhart emphasiaes. “That is why it’s important to have a dynamic risk management. And that’s not done in Agenda Point 7, where everybody looks at sort of red, green, and amber points.”

This integration requires a fundamental shift in thinking. Rather than presenting simplified “high/medium/low” rankings after decisions are made, risk analysis must become an integral part of the decision-making process itself. This means:

  • Presenting multiple scenarios with different risk profiles for each major decision
  • Showing ranges and distributions rather than single-point estimates
  • Translating technical risk concepts into business impacts—revenue, cost, timeline, and competitive positioning

Eric Mai, director of Enterprise Risk Management for Delta Air Lines, reinforces this: “Give us an opportunity to be part of that discussion from the beginning. Don’t bring your risk team a completed transaction or strategy and ask if there’s risk with the deal? ”

Board-level risk communication

Board level risk communication hinges on bridging the gap between technical risk insights and the board’s oversight role. Board members need clear decision-relevant framing aligned with their priorities.

Rather than focusing on loss probabilities or control issues, risks should be communicated in terms of how they impact business performance metrics and strategic goals.

For example, supply chain risk should be linked to business continuity: “A disruption could delay our product launch by 3-4 months, making Q3 revenue targets unachievable and potentially losing market share to Competitor X who is launching a similar product.”

The most insightful risk analysis will fail if cluttered with jargon or lengthy technical reports. Board members require concise, visual, and intuitive information designed for quick comprehension and focused discussion.

Technical metrics should be translated into “days of downtime,” “impacted customers,” or “potential cost impact” that align with strategic concerns.

Risk escalation to the board

Boards can only fulfill their oversight responsibility with timely information. Learning about a risk after it has materialised during a quarterly review eliminates the opportunity for intervention. Clear escalation protocols should establish:

  • Specific criteria for when a risk must be escalated to the board
  • Who is responsible for the escalation
  • How the information should be communicated
  • Tiered thresholds to prevent overwhelming the board while ensuring material issues receive attention

These protocols empower the board to fulfill its governance role proactively rather than reactively.

Maturity evolution: from compliance to strategic value

Organisations typically evolve through several stages of risk management maturity:

  • Level 1: Separate risk reporting (the risk register/heat map approach)
  • Level 2: Risk insights integrated into every board agenda item
  • Level 3: Risk-based decision-making embedded throughout the organisation

The transition between these levels requires both behavioral and cultural change. As Mai explains, “Behavioral change is really hard because if you’re not part of that integrated process, if you’re not brought to the table… it really comes down to how effective can you can be influencing by the information you bring into that boardroom for the decision that needs to be made.”

This cultural shift demands that risk managers speak the language of business. “Let’s all speak in business terms,” Stilhard advises. “Let’s use words that mean something, describe the probability. Also sensitise the board to probability, uncertainty and what are the implications.”

Practical steps toward risk-based decision making

To transform risk management from a compliance exercise to a strategic advantage:

  1. Integrate risk analysis into existing processes rather than creating separate risk functions
  2. Present multiple options with different risk profiles instead of single recommendations
  3. Translate risk concepts into business metrics that executives and board members understand
  4. Build risk considerations into early-stage planning instead of after-the-fact assessments
  5. Foster a risk-aware culture where everyone sees themselves as responsible for managing uncertainty

The transformation begins with risk managers developing new competencies. Understanding probability theory, decision science, and behavioral economics is far more valuable than mastering compliance frameworks.

As one risk leader notes, “Learning how to build an influence diagram or a decision tree and then converting it into a stochastic model, running simulations and back testing model assumptions will prepare you for any emerging risk on the planet.”

The strategic imperative

Organisations that fail to evolve beyond compliance-focused risk management face existential threats in today’s volatile environment. Those that successfully integrate risk analysis into decision-making gain a powerful competitive advantage—making better decisions faster with greater confidence.

As Eric Mai concludes, “If you’re trying to be successful and build a business as a going concern, you want to know what you can do, but what you’re capable of doing, even if you need to stretch, but you don’t want to get so far out of your skis that you jeopardise the integrity of the organisation.” 

The question for leaders is clear: Will you continue treating risk management as a separate compliance function, or will you transform it into an essential component of strategic decision-making? In today’s uncertain world, the answer may determine whether your organisation merely survives or truly thrives.

What specific aspect of decision-centric risk management would most benefit your organisation right now?